Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
3
Replies

detect rogue only if with defined area?

Leroy Plock
Level 1
Level 1

‎12-01-2016 11:44 AM - edited ‎07-05-2021 06:11 AM

Hello,

Has anyone ever tried to set up a system, using Cisco WLCs, Prime, and MSE, to do rogue containment, but only if the rogue is within a certain defined area? I thought it might be possible to draw the containment area on a map in Prime and base containment off of that somehow.

If we can't do containment based the defined area, if we could at least get a notification when a rogue is within the area, that would be good.

Thank you.

Labels:
0 Helpful
3 Replies 3

Leo Laohoo
Hall of Fame
Hall of Fame

‎12-01-2016 12:01 PM

the rogue is within a certain defined area?

Not possible because an AP could be transmitting at full power BUT is not physically within the containment area but the RSSI can be detected. 

What I have done is set up an alert with PI (Major Alert).  And this requires the Rogue Rules within WLC.  My setting is to alert me if a rogue AP can be detected with an average RSSI signal of -50 dBm.  

Remember, this is on a per-WLC settings only and cannot be set on a per-SSID or per-AP.  So use this carefully.

0 Helpful

Leroy Plock
Level 1
Level 1
In response to Leo Laohoo

‎12-01-2016 12:15 PM

Thanks for the reply. So it's possible to determine with some precision where a client is physically, but not an AP. Is this correct?

I have been playing with the rogue rules based on RSSI as you suggested, but am finding the rssi values are unpredictable, they don't reliably correlate distance from the detector AP. I guess it's the same problem, you don't know what power the AP is transmitting at.

To narrow the alert to only certain APs, I've been working off of the SNMP traps. The rules in our trap collector look for the AP's MAC in the trap details, otherwise the trap is discarded.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Leroy Plock

‎12-01-2016 01:11 PM

but am finding the rssi values are unpredictable, they don't reliably correlate distance from the detector AP. I guess it's the same problem, you don't know what power the AP is transmitting at.

I found the Rogue Rules for RSSI value to be the AVERAGE.  In my case, I have a known rogue AP inside a location.  With the Rules I've set, I can see in PI's "Major Alarm" of the Rule being triggered because of the average value of the RSSI to be -50 dBm (and stronger).  

The Rule doesn't get triggered with nearby APs because the average RSSI value is higher than -50 dBm even though, at least, one AP can detect the rogue APs signal to be -50 dBm (or better).  

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card